The company said the breach affected about 2.6 million debit and credit cards at its Michaels locations, and another 400,000 at its subsidiary, Aaron Brothers.

The malware has been removed, the Irving, Texas-based company said.

The affected data includes customer information such as card numbers and expiration dates, though Michaels said there was no evidence that personal info such as names, addresses, or PIN numbers were stolen.

The company is offering free identity protection, credit monitoring, and fraud assistance services to all affected U.S. customer for 12 months.